Home > Emerging Threats, Malwares, OS X > Bloated Fish

Bloated Fish

fishoftheday1

This is the picture after visualizing data gathered from one malicious node <75.126.154.249>. Hundred of active domain names shares this IP address as denoted by green line. The red lines inside the body of “Bloated Fish” denotes as malicious links. These red lines is connected to the fish pink and red lips noted as “http://self-relax-massage.com/relax/in.cgi?&#8221; As of the moment, the malicious server leads to its payload – “http://great2008x.com/great/pdf.php?id&#8221;.  This generates an exploited PDF that installs EXE  targetting users who’s default browser opens Adobe Reader automatically.

As observed and several times mentioned, these malicious PDFs are quietly increasing in numbers however recently there has been a significant increase due to implementation of PHP PDF – apparently,  a server side polymorphism which means that generated PDF changes everytime. This makes difficult for most security scanners that relies on specific file detection.

Notice the fish tail, there is few red lines leading to “MacAccess” trojan. As of writing, they all point to “http://opera-power.com/download/7946645975673d6cc63775/flashcodec.dmg&#8221;. As usual, it disguises as a fake codec. Here’s an example below…

picture-2

“These bloated fish calls cloud as their home.”

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: